Zipper the SIPR: The SolarWinds Blow
December 18, 2020
I found this article interesting: “Pentagon Forces Emergency Shutdown of Computer Network Handling Classified Material.” Since I work in rural Kentucky, I have zero clue if the information in the write is accurate; nevertheless, let me highlight one of the statements in the write up:
An emergency shutdown of a classified internal communications network was ordered at the Pentagon Tuesday. The system, called the Secret Internet Protocol Router Network, handles not only classified information but “up to the secret level”…
My hunch is that this is an “abundance of caution” move. Why caution? Why now?
Possibly the SolarWinds misstep is a reason?
At lunch today, a member of my team and I discussed the marketing of smart, 24×7 cyber security systems. Many companies engaged in this type of activity. But how secure are such security systems. Many are more alike than different; for example:
- Use of open source software
- Reliance upon standard and often manipulable statistical procedures
- Licensing tools and content from companies also in the cyber security business.
The result? Fodder for sales professionals and former art history majors now engaged in public relations, webinar production, and Madison Avenue style pitch writing.
Oh, one other result. The possible security thing at a number of US government entities, large corporations, and probably a handful of non governmental organizations.
Big deal? For some, yep, big deal. For others, what’s the hoo-hah about? Just close that deal, book the business, and collect the fees. What’s more important than cyber security? Revenue perhaps?
Stephen E Arnold, December 18, 2020
Explaining the 2020 End of Year Cyber Hack of Big, Fat Targets of Opportunity
December 18, 2020
I know you have heard about the end of year cyber attack. The end of 2020 is a zinger. But what caused the problem? Who is responsible? Which cyber security expert is the one to believe? Beyond Search has located an explanation, courtesy of Lorem Ipsum Anything. We posed these questions to the smart software at this next generation thumb typing site and learned:
Security harm resilience change others Beneficiaries food security persons groups objects. Institutions ecosystems entity referent security freedom change forces resilience example. Absence good want presence phenomenon range protection senses foundations secrecy. damage term purpose systems acts guarding security systems security guard security forces security companies. Security cameras e.g. state of mind telephone line containment room cell.
Makes the uptown explanations from assorted experts wishing they could have explained the cyber kick in the ribs as well. Yep, 2020 is year to remember. “Absence good want presence.”
Well said.
Stephen E Arnold, December 18, 2020
Security Vendors: Despite Marketing Claims for Smart Software Knee Jerk Response Is the Name of the Game
December 16, 2020
Update 3, December 16, 2020 at 1005 am US Eastern, the White House has activate its cyber emergency response protocol. Source: “White House Quietly Activates Cyber Emergency Response” at Cyberscoop.com. The directive is located at this link and verified at 1009 am US Eastern as online.
Update 2, December 16, 2020 at 1002 am US Eastern. The Department of Treasury has been identified as a entity compromised by the SolarWinds’ misstep. Source: US “Treasury, Commerce Depts. Hacked through SolarWinds Compromise” at KrebsonSecurity.com
Update 1, December 16, 2020, at 950 am US Eastern. The SolarWinds’ security misstep may have taken place in 2018. Source: “SolarWinds Leaked FTP Credentials through a Public GitHub Repo “mib-importer” Since 2018” at SaveBreach.com
I talked about security theater in a short interview/conversation with a former CIA professional. The original video of that conversation is here. My use of the term security theater is intended to convey the showmanship that vendors of cyber security software have embraced for the last five years, maybe more. The claims of Dark Web threat intelligence, the efficacy of investigative software with automated data feeds, and Bayesian methods which inoculate a client from bad actors— maybe this is just Madison Avenue gone mad. On the other hand, maybe these products and services don’t work particularly well. Maybe these products and services are anchored in what bad actors did yesterday and are blind to the here and now of dudes and dudettes with clever names?
Evidence of this approach to a spectacular security failure is documented in the estimable Wall Street Journal (hello, Mr. Murdoch) and the former Ziff entity ZDNet. Numerous online publications have reported, commented, and opined about the issue. One outfit with a bit of first hand experience with security challenges (yes, I am thinking about Microsoft) reported “SolarWinds Says Hack Affected 18,000 Customers, Including Two Major Government Agencies.”
One point seems to be sidestepped in the coverage of this “concern.” The corrective measures kicked in after the bad actors had compromised and accessed what may be sensitive data. Just a mere 18,000 customers were affected. Who were these “customers”? The list seems to have been disappeared from the SolarWinds’ Web site and from the Google cache. But Newsweek, an online information service, posted this which may, of course, be horse feathers (sort of like security vendors’ security systems?):
Work from Home: Manage This, Please
November 19, 2020
I read “Over Half of Remote Workers Admit to Using Rogue Tools Their IT teams Don’t Know About.” If the information in the write up is on the money, cyber security for the WFH crowd may be next to impossible. The write up reports:
According to a new report from mobile security firm NetMotion, the vast majority of remote workers (62 percent) are guilty of using Shadow IT, with some of them (25 percent) using a “significant number” of unapproved tools.
The article includes this statement:
“Sadly, our research showed that nearly a quarter of remote workers would rather suffer in silence than engage tech teams,” said Christopher Kenessey, CEO of NetMotion.
Net net: Bad actors relish the WFH revolution. The inducement of WFHers using software not vetted by their employer creates numerous opportunities for mischief. How does a firm addicted to Slack and Microsoft Teams deal with this situation:
Hey, team. I am using this nifty new app. It can speed up our production of content. You can download this software from a link I got on social media. Give it a whirl.
Manage this, please.
Stephen E Arnold, November 19, 2020
Virtual Private Networks: Not What They Seem
November 17, 2020
Virtual private networks are supposed to provide a user with additional security. There are reports about Apple surfing on this assumption in its Big Sur operating system. For more information, check out “Apple Apps on Big Sur Bypass Firewalls and VPNs — This Is Terrible.” Apple appears to making privacy a key facet of its marketing and may be experiencing one of those slips betwixt cup and lip with regard to this tasty sales Twinkie?
Almost as interesting is the information in “40% of Free VPN Apps Found to Leak Data.” Note that the assertion involves no-charge virtual private networks. The write up reports:
ProPrivacy has researched the top 250 free VPN apps available on Google Play Store and found that 40% failed to adequately protect users privacy.
Okay, security conscious Google and its curated apps on its bulletproof Play store are under the Microscope. The write up points out:
… A study by CSIRO discovered that more than 75% of free VPNs have at least one third-party tracker rooted in their software. These trackers collect information on customers online presence and forward that data to advertising agencies to optimize their ads.
Who is involved in the study? Possible the provider of for fee VPN services like NordVPN.
Marketing and privacy. Like peanut butter and honey.
Stephen E Arnold, November 17, 2020
Security Is a Game
November 12, 2020
This article’s headline caught my attention: “Stop Thinking of Cybersecurity As a Problem: Think of It As a Game.” I think I understand. The write up asserts:
The thing is, cybersecurity isn’t a battle that’s ultimately won, but an ongoing game to play every day against attackers who want to take your systems down. We won’t find a one-size-fits-all solution for the vulnerabilities that were exposed by the pandemic. Instead, each company needs to charge the field and fend off their opponent based on the rules of play. Today, those rules are that anything connected to the internet is fair game for cybercriminals, and it’s on organizations to protect these digital assets.
Interesting idea. Numerous cyber security solutions are available. Some organizations have multiple solutions in place. Nevertheless, bad actors continue to have success. If the information in Risk Based Security 2020 Q3 Report Data Breach QuickView is anywhere close to accurate. The “game” is being won by bad actors: Lots of data was sucked down by cyber criminals in the last nine months.
Fun, right?
Stephen E Arnold, November 12, 2020
AWS Security Maturity
November 10, 2020
Struggling with leaky S3 buckets? Discovering phishing campaigns launched from your AWS instance? Wrestling with multiple, often confusing, security options? Answer any of these questions with a “yes”, and you may want to check out this paper, “AWS Security Maturity Roadmap.” After reading the essay, you will probably consider seeking an expert to lend a hand. Hey, why not call the author of the paper? The white paper does a good job of providing a useful checklist so the reader can determine what’s been overlooked.
Stephen E Arnold, November 10, 2020
Microsoft Security: Time for a Rethink
November 1, 2020
Not long ago, the Wall Street Journal ran this full page ad for a cyber security company named Intrusion:
The ad is interesting because it highlights the failure of cyber security. Evidence of this ineffective defense is revealed in reports from the FBI, Interpol, and independent researchers: Cyber crime, particularly phishing and ransomware, are increasing. There are hundreds of threat neutralizers, smart cyber shields, and a mind boggling array of AI, machine learning, and predictive methods which are not particularly effective.
“Microsoft 365 Administrators Fail to Implement Basic Security Like MFA” provides some interesting information about the state of security for a widely used software system developed by Microsoft.
The article reveals that researchers have found that 99 percent of breaches can be “prevented using MFA.” MFA is cyber lingo for multi-factor authentication. A common way to prove that a log on is valid is to use a password. But before the password lets the user into the system, a one time code is sent to a mobile phone. The user enters the code from the phone and the system lets the person access the system. Sounds foolproof.
The write up states:
The survey research shows that approximately 78% of Microsoft 365 administrators do not have multi-factor authentication (MFA) activated.
Another finding is that:
Microsoft 365 administrators are given excessive control, leading to increased access to sensitive information. 57% of global organizations have Microsoft 365 administrators with excess permissions to access, modify, or share critical data. In addition, 36% of Microsoft 365 administrators are global admins, meaning these administrators can essentially do whatever they want in Microsoft 365. CIS O365 security guidelines suggests limiting the number of global admins to two-four operators maximum per business.
Let’s step back. If the information in the write up is correct, a major security issue is associated with Microsoft’s software. With an increase in breaches, is it time to ask:
Should Microsoft engage in a rethink of its security methods?
We know that third party vendors are not able to stem the tide of cyber crime. A security company would not buy a full page ad in the Wall Street Journal to call attention to failure if it were just marketing fluff. We know that Microsoft admins and Microsoft apps are vulnerable.
Perhaps shifting the burden from the software and cloud vendor to the user is not the optimal approach when one seeks to make security more effective and efficient. The shift is probably more economical for Microsoft; that is, let the customer carry the burden.
Some Microsoft customers may push back and say, “Wrong.” Perhaps regulators will show more interest in security if their newfound energy for taking action against monopolies does not wane? Over to the JEDI knights.
Stephen E Arnold, November 1, 2020
Cybersecurity Lapse: Lawyers and Technology
October 29, 2020
“Hackers Steal Personal Data of Google Employees after Breaching US Law Firm” is an interesting article. First, it reminds the reader that security at law firms may not be a core competency. Second, it makes clear that personal information can be captured in order to learn about every elected officials favorite company Google.
The write up states:
Fragomen, Del Rey, Bernsen & Loewy LLP, a law firm that offers employment verification compliance services to Google in the United States, suffered unauthorized access into its computer systems in September that resulted in hackers accessing the personal information of present and former Google employees.
The article quotes to a cyber security professional from ImmuniWeb. I learned:
According to Ilia Kolochenko, Founder & CEO of ImmuniWeb, the fact that hackers targeted a law firm that stores a large amount of data associated with present and former Google employees is not surprising as law firms possess a great wealth of the most confidential and sensitive data of their wealthy or politically-exposed clients, and habitually cannot afford the same state-of-the-art level of cybersecurity as the original data owners.
This law firm, according to the write up, handles not just the luminary Google. It also does work for Lady Gaga and Run DMC.
Stephen E Arnold, October 29, 2020
Covid Trackers Are Wheezing in Europe
October 19, 2020
COVID-19 continues to roar across the world. Health professionals and technologists have combined their intellects attempting to provide tools to the public. The Star Tribune explains how Europe wanted to use apps to track the virus: “As Europe Faces 2nd Wave Of Virus, Tracing Apps Lack Impact.”
Europe planned that mobile apps tracking where infected COVID-19 individuals are located would be integral to battling the virus. As 2020 nears the end, the apps have failed because of privacy concerns, lack of public interest, and technical problems. The latter is not a surprise given the demand for a rush job. The apps were supposed to notify people when they were near infected people.
Health professionals predicted that 60% of European country populations would download and use the apps, but adoption rates are low. The Finnish, however, reacted positively and one-third of the country downloaded their country’s specific COVID-19 tracking app. Finland’s population ironically resists wearing masks in public.
The apps keep infected people’s identities secret. Their data remains anonymous and the apps only alert others if they come in contact with a virus carrier. If the information provides any help to medical professionals remains to be seen:
“We might never know for sure, said Stephen Farrell, a computer scientist at Trinity College Dublin who has studied tracing apps. That’s because most apps don’t require contact information from users, without which health authorities can’t follow up. That means it’s hard to assess how many contacts are being picked up only through apps, how their positive test rates compare with the average, and how many people who are being identified anyway are getting tested sooner and how quickly. ‘I’m not aware of any health authority measuring and publishing information about those things, and indeed they are likely hard to measure,’ Farrell said.”
Are these apps actually helpful? Maybe. But they require maintenance and constant updating. They could prevent some of the virus from spreading, but sticking to tried and true methods of social distancing, wearing masks, and washing hands work better.
Whitney Grace, October 19, 2020
-
- Subscribe to Beyond Search
Feature archive
News archive
-
